ACLs applied to VMfiles directory is ignored...

[bruce.desertrat]

I'm setting up a shared Virtualbox installation (VirtualBox 4.2.12 r84980 with extension pack installed) in /Users/Shared for all users of a Mac (only one windows license and install needed.)

One of Virtualbox's quirks is that every time it's run a new .vbox (Virtualbox definitions file) is created, with read/write rights granted only to the user that created it.

Since this is done as posix permissions:

-rw------- 1 root wheel 7578 Apr 22 09:07 Windows7.vbox

I applied an ACL to the enclosing directory at the time I created the directory:

mkdir /Users/Shared/VirtualBoxVMS
chmod -R +a "everyone allow read,write,file_inherit,directory_inherit" /Users/Shared/VirtualBoxVMS

However users are STILL not allowed to access the folder containing the vbox files: (my comments in bold italic)

pharmacyvpn117-7:Shared mike$ groups mike
staff com.apple.access_screensharing everyone _appstore localaccounts _appserverusr admin _appserveradm _lpadmin _lpoperator _developer

Local user 'mike' is a member of 'everyone'

pharmacyvpn117-7:Shared mike$ ls -lRe /Users/Shared
total 0
drwxr-xr-x+ 5 root wheel 170 Apr 19 10:21 VirtualBoxVMS
0: group:everyone allow list,add_file,file_inherit,directory_inherit


/Users/Shared/VirtualBoxVMS:
total 0
drwxr-xr-x+ 3 root wheel 102 Apr 19 10:21 HDs
0: group:everyone inherited allow list,add_file,file_inherit,directory_inherit
drwxr-xr-x+ 2 root wheel 68 Apr 19 10:21 SharedWithMac
0: group:everyone inherited allow list,add_file,file_inherit,directory_inherit
drwxr-xr-x+ 3 root wheel 102 Apr 19 10:21 VMfiles
0: group:everyone inherited allow list,add_file,file_inherit,directory_inherit


/Users/Shared/VirtualBoxVMS/HDs:
total 50118984
-rw-------+ 1 root wheel 25660919808 Apr 22 09:07 Win7.vdi
0: group:everyone inherited allow read,write

Only root can read/write per posix permissions, but the ACL is letting mike see it.

/Users/Shared/VirtualBoxVMS/SharedWithMac:


/Users/Shared/VirtualBoxVMS/VMfiles:
total 0
drwx------+ 5 root wheel 170 Apr 22 09:07 Windows7
0: group:everyone inherited allow list,add_file,file_inherit,directory_inherit

Here, mike cannot even list the contents of the directory, depite the ACL explicitly allowing it.

/Users/Shared/VirtualBoxVMS/VMfiles/Windows7:
ls: Logs: Permission denied
ls: Windows7.vbox: Permission denied
ls: Windows7.vbox-prev: Permission denied
ls: Windows7: Permission denied

And when I do ls -lRe as root via sudo, the ACLs are as expected. mike SHOULD be able to access this directory!

pharmacyvpn117-7:Shared mike$ sudo ls -lRe /Users/Shared/VirtualBoxVMS/VMfiles/Windows7
total 32
drwx------+ 3 root wheel 102 Apr 19 10:21 Logs
0: group:everyone inherited allow list,add_file,file_inherit,directory_inherit
-rw-------+ 1 root wheel 7578 Apr 22 09:07 Windows7.vbox
0: group:everyone inherited allow read,write
-rw-------+ 1 root wheel 7509 Apr 22 09:07 Windows7.vbox-prev
0: group:everyone inherited allow read,write


/Users/Shared/VirtualBoxVMS/VMfiles/Windows7/Logs:
total 272
-rw-------+ 1 root wheel 135772 Apr 22 09:07 VBox.log
0: group:everyone inherited allow read,write

I have reproduced this on another Mac running 10.8.3

Anyone know why??

[bruce.desertrat]

This is the script I'm running to create this VM. The VM is initially set to boot from our Windows Deployment Server, but that should really have nothing to do with the OS X side of things, where the problem resides:

mkdir /Users/Shared/VirtualBoxVMS
chmod -R +a "everyone allow read,write,file_inherit,directory_inherit" /Users/Shared/VirtualBoxVMS
mkdir /Users/Shared/VirtualBoxVMS/HDs
mkdir /Users/Shared/VirtualBoxVMS/VMfiles
mkdir /Users/Shared/VirtualboxVMS/SharedWithMac
VBoxManage createhd --filename /Users/Shared/VirtualBoxVMS/HDs/Win7.vdi --size 65536
VBoxManage createvm --register --name "Windows7" --basefolder /Users/Shared/VirtualBoxVMS/VMfiles
VBoxManage storagectl "Windows7" --name "SATA Controller" --add sata --controller IntelAHCI
VBoxManage storageattach "Windows7" --storagectl "SATA Controller" --port 0 --device 0 --type hdd --medium "/Users/Shared/VirtualBoxVMS/HDs/Win7.vdi"
VBoxManage storagectl "Windows7" --name "IDE Controller" --add ide
VBoxManage storageattach "Windows7" --storagectl "IDE Controller" --port 0 --device 1 --type dvddrive --medium /Volumes/copds2012u1/Boot/LiteTouch_x64_public_path_11282012.iso
VBoxManage modifyvm "Windows7" --ostype Windows7_64 --memory 2048
VBoxManage modifyvm "Windows7" --acpi on --ioapic on
VBoxManage modifyvm Windows7 --nic1 nat --nictype1 82540EM --usb on --clipboard bidirectional --accelerate3d on --accelerate2dvideo on
VBoxManage modifyvm Windows7 --audio coreaudio --audiocontroller hda --vram 128
VBoxManage sharedfolder add Windows7 --name SharedWithMac --hostpath /Users/Shared/VirtualboxVMS/SharedWithMac --automount
VBoxManage startvm Windows7

[sammuc]

Hello!

Any further insight into this issue? I seem to have encountered the same problem in much easier circumstances, the sharing of one virtual machine between two users of the same host machine.

Basically, I have followed the approach described on the Apple Support with respect to sharing of an iPhoto library in similar circumstances, which, in effect, creates very similar ACLs then the one described in the previous post.

It works in principal, i.e. you can start the VM by one or the other user. However, once one user has started the VM, at least the files VMname.vbox und VMname.vbox-prev are re-created with the current user as owner and therefor cannot be opened by the other user without manually re-applying the access rights by and admin, which I consider inpracticable.

Interestingly, this problem seems to occur even on volumes for which the volume owner is ignored (contrary to the solution described inthe iPhoto Support article mentioned above).

Any idea how to stop/circumvent this behavior?

[noteirak]

This behaviour is by design, the permissions will always be reset to the last user who ran the VM. Virtualbox is not meant to share VMs accross several user accounts.